Can You Prevent a Denial-of-Service Attack on Your Website?

There’s bad news and good news about “denial-of-service” attacks on business websites.

The bad news: The types of hackers whose exploits slowed or shut down some of the Internet’s largest e-commerce sites a few years ago are still around. Reports of successful attacks are now fewer and farther between, thanks largely to more advanced security measures. But attackers constantly grow more sophisticated as well. Experts warn that many constantly look for ways to outwit those protective technologies.

The (relatively) good news, from a small-business perspective: When attackers occasionally do go after specific targets, they tend to aim for large, high-profile trophies rather than small-business websites. And even when an individual attack occurs, it’s temporarily worrisome and disruptive -- but usually a less-serious threat than a break-in that gives intruders access to confidential or valuable data.

In fact, computer viruses and worms are actually more likely to cause more extensive (and expensive) headaches for small and mid-size businesses than denial-of-service attacks.

But it still makes sense for small businesses to know enough about the attacks to try to prevent them -- or, once they’re in progress, to combat them while minimizing damage to their websites, systems and businesses.

Denial of service defined

“Denial of service,” often abbreviated as “DoS,” simply means that an attacker has bombarded a website with so many automated requests for service that its underlying systems get sluggish or crash. In a “distributed denial of service” incident (DDoS), perpetrators “distribute” the barrage of fake service requests among multiple computers, many of them unprotected PCs whose owners don’t realize that their machines are being remotely controlled to participate in an attack.

DoS cases made the biggest headlines in 2000 and 2001 when hackers -- some of them just teenagers -- attacked some of the Web’s best-known storefronts, including Amazon, eBay, E-Trade and Yahoo! Nearly 13,000 DDoS attacks occurred worldwide during one three-week period in February 2001 alone, according to a study by researchers at the University of California at San Diego. While 90 percent of those lasted less than two hours, some companies estimated six- and seven-figure damages from lost revenues and necessary security upgrades.

Such improvements -- such as intrusion-detection software that quickly identifies and blocks attack-related traffic while handling legitimate service requests -- have since helped reduce the number of DoS attacks on individual websites. “I don’t know of one I’ve heard of recently that’s been successful,” former White House cybersecurity adviser Howard Schmidt told an Internet security conference in late 2005.

But security experts warn that the lull in DoS attacks is no reason to become complacent. The real threat now, they say, is essentially cyberterrorism: a large-scale, remotely coordinated assault, that, while most likely to target government sites and key industries such as banks and utilities, could do widespread damage all over the Internet.

Taking action

So how can small businesses protect their websites against DoS attacks? Following are a few key steps:

Buy the strongest security solutions that you can afford (you may want to hire a specialist to help you choose). Some newer products can quickly detect DoS attacks, filtering out bogus service requests so that legitimate ones can get through.

Regularly update all software against new threats.

Be vigilant about backing up and storing data so that it’s protected if your systems crash.

Design for survivability. The U.S. Computer Emergency Readiness Team (CERT) at Carnegie Mellon University (see “For More Information,” below) recommends separating and compartmentalizing critical services so that even if one fails, others keep running.

Check with your telecom and Internet service providers about what measures they’re taking to protect your website and systems. If you’re not satisfied with security-level guarantees, consider switching services.

Develop and regularly review a business-continuity plan that clearly lays out procedures for responding to DoS attacks and other IT security threats.

Bottom line: You can’t prevent someone from launching a DoS attack. But it’s entirely possible to prepare for one -- and to protect your systems and your business against it.

Anne Stuart, a former Inc. senior writer, is a Boston-based journalist who specializes in covering business and technology.

“Managing the Threat of Denial-of-Service Attacks” (PDF), CERT, this comprehensive report offers a thorough grounding in DoS attacks followed by technical advice for responding to them.www.cert.org/archive/pdf/Managing_DoS.pdf

“Barbarians at the Gate: An Introduction to Distributed Denial of Service Attacks,” SecurityFocus, this article provides a good background about DoS attacks along with multiple links to additional information.www.securityfocus.com/infocus/1647